Vulnerability Tutorial - Internet Explorer vulnerabilities
  Updated: 07/08/14     (YELLOW light)
CVE 1999-0662
 
Impact

A remote attacker could execute arbitrary commands on a client system when the client browses to a malicious web site hosted by the attacker.

Background
Microsoft Internet Explorer is an HTML web browser which comes by default with Microsoft Windows operating systems.
The Problem
Internet Explorer is missing critical patches which fix multiple vulnerabilities, the most critical of which could allow code execution with the privileges of the user when a user visits a malicious web site or opens an HTML e-mail message. In some cases patches are not used, with the user being required to upgrade the version of Internet Explorer to avoid the vulnerability. Specifically:
  • 04/14/08
    Internet Explorer 8 has two vulnerabilities in Beta 1 (8.0.6001.17184), a persistent denial of service in the browser caused by prototype hijacking of the XDomainRequest Object (the user must reboot the operating system to get rid of the problem) and multiple issues in the res:// protocol including script injections.

  • 10/25/04
    The Shell.Explorer ActiveX object allows window objects to read and write files on the local file system. In conjunction with other vulnerabilities, such as the drag and drop vulnerability mentioned below, this could allow command execution by a malicious web page or HTML e-mail message.
Resolution
To use Internet Explorer securely, take the following steps:

(The vulnerabilities in IE 8, Beta 1 have not yet been patched)

(The response splitting and smuggling related to setRequestHeader() has not yet been patched)

(The file focus stealing vulnerability has not yet been patched)

(The stack overflow vulnerability has not yet been patched.)

(The document.open spoofing vulnerability has not yet been patched.)

Instructions for disabling the ADODB.Stream object can be found in Microsoft Knowledge Base Article 870669.

To disable the Shell.Explorer object, set the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}
Compatibility Flags = 400 (type dword, radix hex)
To disable the Javaprxy.dll object, install the update referenced in Microsoft Security Bulletin 05-037.

More Information
For more information on all Internet Explorer security fixes, see the Internet Explorer Critical Updates page.

For more information on specific vulnerabilities, see Microsoft Security Bulletins 03-004, 03-015, 03-020, 03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052, 05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027, 07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045, 08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018, 10-035, 10-053, 10-071, 10-090, 11-003, 11-018, 11-031, 11-052, 11-050, 11-057, 11-081, 11-099, 12-010, 12-023, 12-037, 12-044, 12-052, 12-063, 12-071, 12-077, 13-008, 13-009, 13-010, 13-021, 13-028, 13-037, 13-038, 13-047, 13-055, 13-059, 13-069, 13-080, 13-088, 13-097, 14-010, 14-012, 14-018, 14-021, 14-029, 14-035, and 14-037.

Also see CERT advisories CA-2003-22, TA04-033A, TA04-163A, TA04-212A, TA04-293A, TA04-315A, TA04-336A, TA05-165A, TA05-221A, and US-CERT Vulnerability Note VU#378604.

The IE 8, Beta 1 vulnerabilities were reported in Bugtraq ID 28580 and Bugtraq ID 28581.

Unfixed variants of the drag and drop vulnerability and the Shell.Explorer object were discussed in NTBugtraq and Full Disclosure.